Thursday, 15 May 2014

ECJ ruling calls search
engines data ‘controllers’ and provides data subjects with a means to prompt
search engines to delete links even if the provider has published them lawfully

May 13, 2014

By Jedidiah Bracy, CIPP/US,
CIPP/E

In what many are calling an
historic decision, the European Union’s
highest court has ruled that Google
must provide users, in certain instances, with a right to delete links about
themselves, including in some cases, public records.

The European Court of Justice
(ECJ) said the automatic indexing of information that contains personal data
“must be classified as ‘processing of personal data’” and that “the operator of
the search engine must be regarded as the ‘controller’ in respect to that
processing…” Additionally, “the operator of a search engine is obliged to
remove from the list of results displayed following a search made on the basis
of a person’s name links to web pages, published by third parties and
containing information relating to that person,” even “when its publication in
itself on those pages is lawful.”

An individual’s fundamental
rights, the court also ruled, override “the economic interest of the operator
of the search engine but also the interest of the general public” in having
that information. The exception would be the role played by the subject in
public life and if the general public’s right to access the information is
justified.

On leave from her role as
European justice commissioner, Viviane Reding said, “Companies can no longer hide behind their servers being based in
California or anywhere else in the world” and that “the data belongs to the
individual, not the company.”

In comments provided to The
Privacy Advisor, German Green Member of Parliament and architect of the
proposed data protection regulation Jan Philipp Albrecht said the ruling “is
the right decision” and that it “clarifies that European data protection law is
applicable as soon as a data controller is operating on the European market.”
He also stressed the importance of adopting “a uniform and consistent data
protection regulation in order to strengthen the enforcement of such rights in
all areas of the law and throughout the EU” and that governments “must finally
deliver on this issue at the next Justice and Home Affairs Council in June.”

Companies can no longer hide behind their servers
being based in California or anywhere else in the world.

Viviane Reding, European
Justice Commissioner

For some, however, the fact
that existing legislation provides for the right to be forgotten puts in
question the need for a new regulation at all. Richard Cumbley of Linklaters
told The New York
Times, “Given that
the EU has spent two years debating this right as part of the reform of EU
privacy legislation, it is ironic that the ECJ has found it already exists in
such a striking manner.”

But Wilson Sonsini’s
Christopher Kuner said this ruling could actually provide further impetus to
pass the proposed General Data Protection Regulation, as it more clearly spells
out the Right-to-be-Forgotten concept and is more uniform in its application.
Right now there are 28 different countries with 28 different privacy regimes.
“If I were a company,” he said, “I’d say bring on the regulation because at
least there’s a specific article on this, but today’s ruling is based on
multiple articles” from the Directive.

Calling the decision “a real
game-changer,” privacy expert Eduardo Ustaran, CIPP/E, told The Privacy
Advisor, “As a result, search engines operating in Europe will now have to
deploy measures to deal with the obligations and rights attached to the
personal information revealed in searches.”

Operationally, this will “put
search engines in the extremely onerous position of having to take a view on
how to comply with potentially millions of individual requests.” In a 2012
article for The Privacy Advisor, a number of experts detailed some of the technical problems companies
may face in implementing such controls.

The case goes back to a 2009 incident involving
a Spanish citizen who objected to having a Google search of his name include a
1998 Spanish newspaper article that reported on his financial debts and the
forced sale of his property. The plaintiff said he had resolved the financial
issue and demanded that the local newspaper delete the links to the story. When
it refused, the plaintiff asked Google to do the same. The case made its way to
the Spanish data protection authority, which ordered Google to remove the
links. Google challenged the DPA’s ruling and the case was finally referred to
the ECJ.

The most recent ruling
contrasts with a preliminary
ruling in June 2013 by the ECJ’s
Advocate General Niilo Jääskinen, who decided Google did not need to delete the
links because it was not the “controller” of data and that information should only
be deleted when the personal information is either incomplete or inaccurate.

In the past, Google has argued
that the right to be forgotten amounts to censorship. A Google spokesman told Wired, “This is a disappointing ruling for search
engines and online publishers in general. We are very surprised that it differs
so dramatically from the advocate general’s opinion and the warning and
consequences that he spelled out. We now need to take time to analyse the
implications.”

The ECJ ruling has some up in
arms about potentialfreedom of expression and censorship concerns. Ustaran said, “Whilst the
court does not go so far as letting people share their online persona without
taking freedom of expression into account, it allows some form of tailor-made
censorship.”

George Mason University’s Adam
Thierer went further, arguing, “Right-to-be-forgotten efforts are
well-intentioned and seductive, but ultimately, they will require onerous
censorial controls that place serious pressure on free speech, journalistic pursuits
and net freedom more generally.”

As legal experts begin parsing
out the legal ramifications of the ruling—Patrick van Eecke takes an initial
swing in this post for The
Privacy Tracker—ultimately,
commenters agree, the ripples will be felt for some time.

Technologically speaking,
Prof. Joel Reidenberg points out that algorithms are at play here as well.

Kuner said there remain a lot of unanswered questions and that this
ruling “opens the door to many unintended consequences.”

Beyond Google, what other
companies will this apply to? If your website has a Google search bar in it,
does that make you a co-controller? He also said the ripple effect will not
only place an administrative burden on search engine companies, but on the
courts and data protection authorities as well. Will they have the resources to
deal with a flood of complaints?

“In summary,” Ustaran concluded,
“this decision could have very serious implications for the way in which we all
access information on the Internet.”

Tuesday, 13 May 2014

The Data Protection Commissioner’s office dealt with 1,507 valid data
breach notifications, including the largest such breach it had ever dealt with
– the breach by the Ennis-based company Loyaltybuild (above), which processed
holiday loyalty schemes on behalf of companies all over Europe, including
Supervalu and Axa in Ireland.

The disclosure by a GP of a
woman’s medical records to an insurance company and the sending of an email
containing a patient file by another GP to an incorrect address were among the
case studies highlighted in the 2013 annual report.

Notification was also received
by the Data Protection Commissioner’s office from a medical practitioner that
their computer system had been compromised by ‘ransomware’ and that they were
unable to access their patient files.

They had received a demand for
€ 5,000 in return for the reinstatement of the data but they had informed
gardaí and had not paid the ransom. Five months worth of patient files were
lost as the practitioner also discovered the back-up files had been infected
with the rogue software.

Case studies highlighted also included a complaint against Carphone
Warehouse, after a trainee employee gave out a customer’s home
address in an “isolated” area to two individuals who claimed to have found her
mobile phone and wanted to return it to her after it was stolen and seeking a
reward for finding it.

The report said the disclosure
of the woman’s address to strangers resulted in “considerable distress”.
Regardless of the fact that the employee concerned was a trainee, this
disclosure should not have happened.

Electric Ireland
was the subject of a complaint over its ‘Feet on the Street’ marketing campaign
after a sales agent called to a former customer’s home and was in possession of
their personal details.

The Data Protection
Commissioner told Electric Ireland its processing of the information was
unlawful.

Mr Hawkes said companies
needed to “tread carefully” in the space of win-back marketing campaigns as
“without the prior marketing consent of the former customers concerned, there
is no legal basis to process marketing lists using such retained personal
data”.

It was also “disappointing”
that the telecommunications sector remained a cause of complaint given the
number of prosecutions taken against that sector in recent years for marketing
offences.

The office dealt with 1,507
valid data breach notifications, including the largest such breach it had ever
dealt with – the breach by the Ennis-based company Loyaltybuild,
which processed holiday loyalty schemes on behalf of companies all over Europe,
including Supervalu
and Axa in Ireland.

Some 61 per cent of data
breaches were the result of postal mailing breaches. The annual report said
that while a number of these were the result of mail merge issues at the
printing stage, “an unacceptably high” percentage were the result of human
error.

Complaints about unsolicited
direct marketing text messages, emails, phone calls and fax messages were 22.4
per cent of the total.

Bad customer service was
increasingly the driving force behind people making requests under the Data
Protection Acts to get access to their personal data, the commissioner’s office
said.

The 517 complaints concerning
access requests accounted for some 56.8 per cent of the total of 910 complaints
opened by the Data Protection Commissioner’s office in 2013. This was the
highest number ever received by the office in this category.

Mr Hawkes said this pointed to
the extent of the difficulties being experienced by individuals in their
efforts to exercise their rights and the barriers that some data controllers
place in their way.

“Data protection has to be a
corporate concern, a boardroom concern, with the clear direction coming from
the top of every organisation whether that’s in the public or private sector.”

Commissioner Billy Hawkes
cites example of man whose data was accessed by ex-wife working in Department
of Social Protection

Irish Times , Monday 12th May 2014

Action is needed to tackle
deficiencies in how the public service protects the personal data of citizens
before such action is triggered by a “crisis”, the Data Protection Commissioner
has said.

Billy Hawkes
was speaking today on the publication of his annual report for 2013, which is
his final annual report in the office. He retires in August.

Mr Hawkes highlighted a number
of issues of concern and said his audits of State organisations had “in too
many cases, shown scant regard by senior management to their duty to safeguard
the personal data entrusted to them – a duty that is all the greater because of
the legal obligation to provide such personal data to the State”.

Laudable objectives such as
fraud prevention and greater efficiency must meet a test of proportionality in
the manner in which data is used.”

In one case study published in
the report, his office received a complaint from a man concerned about
inappropriate access to his details by an employee of the Department of Social
Protection– namely his ex wife.

There were 12 instances of
unauthorised access to his records between February 2004 and July 2009. An
investigation was carried out by the department and the matter was referred to
the HR division for possible action under the Civil Service Disciplinary Code.

Mr Hawkes said once again this
case highlighted “the unacceptable practice by some individuals of snooping
through official records for personal reasons unconnected with their official
duties”. Taking no action against individuals caught in engaging in such
activity was “not acceptable” and it should be clear to all users there there
were “serious negative consequences” for unauthorised access to personal
information for unofficial purposes.

“Varying degrees of personal
information relating to every citizen in the State is held on databases within
Government Departments and officials who have access to this information to
conduct their official duties are entrusted to access and use that information
in accordance with the requirements of their functions,” he said.

“Straying beyond the
boundaries of their official duties in terms of accessing personal records
amounts to unlawful activity by the individuals concerned. For that reason, it
is critical that data controllers, such as a Government Department in this
case, have robust disciplinary policies in place to deal with any breaches.”

Mr Hawkes told The Irish
Times he believed “the State system in general is not paying sufficient
attention to its responsibilities for the quantum of data it holds on all of
us”.

“I suppose if I had a parting
wish as Data Protection Commissioner it is that there would be system-wide
action taken on data protection – that would be the responsibility of the Department of
Public Expenditure and Reform - rather than have it triggered by a
crisis, which I think is inevitable unless action is taken.”

In relation to the audit of
the An Garda Síochana Pulse system, which was published earlier in the year, Mr
Hawkes recommended in his report that the force should have a dedicated data
protection unit.

He said he expected the force
to now “actively enforce” the terms of a directive from headquarters and to
take “strong and appropriate disciplinary action against any persons abusing
their access to Pulse and prosecutions against any person found to be using
such access for gain”.

He also expressed concern
about the use for criminal purposes of the fingerprints of individuals who were
required to provide such prints in connection with applications for asylum,
visas and residence.

In his report, Mr Hawkes said
the debate resulting from the revelations last year by the former NSA
contractor Edward Snowden
of the extent of access by US and European intelligence agencies to personal
data had “thrown a welcome spotlight on the general issue of state access to
personal data”.

A recent decision by the Court
of Justice of the European Union
to invalidate the EU Data Retention Directive relating to phone and internet
data had “clearly set out the need for proportionality in this area”.

“The CJEU judgment also shows
the importance of challenging such privacy-destroying measures, as was done in
this case by Digital Rights Ireland,
supported by the Irish Human
Rights Commission. ”